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AMENDMENTS TO THE CLAIMS 

1 . (Currently Amended) A method for providing security in a computer system by a cl e an 
group server , comprising: 

in a processor of a clean group server: 

specifying a set of properties for use in determining if an item is clean; 

in response to receiving an add request from an item a the add request containing 
evidence collected from the item relating to the presence or absence of the properties in the 
specified set of properties, evaluating the add request to determine if the evidence proves 
that the item has the specified set of properties; [[and]] 

determining from the evidence in the add request whether the item has the 
specified set of properties, and if so, designating the item as a member of a clean 
group by instructing a domain controller to add the item to the clean group, the 
domain controller configured to store information identifying network users and 
resources : and 

managing access to a plurality of group policy objects through an a ctive directory 
server, each of the group policy objects being associated with a group defined by the 
domain controller, and the active directory server providing access to each of the 
plurality of group policy objects to items based on membership in a group defined bv the 
domain controller such that only members of the clean group can read the group policy 
object; 

wherein: 

members of the clean group communicate using security associations: and 
a group policy object of the plurality of group policy o bjects comprises 
parameters for security associations used bv items of the clean group, whereby 
communication with items of the clean group is restricted to other items within the 
clean group . 

2. (Previously presented) The method of Claim 1, wherein the item is a computer. 
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3. (Previously presented) The method of Claim 2, wherein when the computer is to 
be evaluated, a clean component is installed on the computer to perform compliance 
checks and to collect the evidence relating to the presence or absence of the properties 
in the specified set of properties. 

4. (Original) The method of Claim 1, wherein a compliance check is performed at a 
selected time for an item to determine if the item has the specified set of properties. 

5 . (Original) The method of Claim 1 , wherein one of the specified set of properties is 
whether all of the available updates have been installed. 

6. (Original) The method of Claim 5, wherein the updates comprise at least one of 
security updates or service packs. 

7. (Previously presented) The method of Claim 1 , further comprising receiving a 
message sent by the clean component after the item fails a compliance check performed 
by the clean component wherein the message indicates that the item should not be in the 
clean group. 

8. (Previously presented) The method of Claim 7, further comprising invalidating the clean 
group membership of the item in response to receiving the message. 

9. (Previously presented) The method of Claim 8, wherein the clean group membership of 
the item comprises local actions including at least hiding the domain credentials of the item. 

10. (Previously presented) The method of Claim 7, wherein if the compliance check fails, 
additional steps are taken including at least hiding cryptographic keys. 
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1 1 . (Canceled) 

12. (Previously presented) The method of Claim 1, wherein after the item is 
designated as a member of the clean group, a countdown is started and if another 
message is not received by the end of the countdown, the item is removed from the 
clean group, 

13. (Canceled) 

14. (Previously presented) The method of Claim 1, further comprising initiating a 
status check to determine if the items in the clean group still have the specified 
properties. 

1 5 . (Currently Amended) A system for managing security, comprising: 

a network comprising a plurality of ports, at least a first portion of the ports being 
wireless ports and a second portion of the ports being Ethernet ports; 
a clean group server connected on the network ; 

a domain controller connected on the network and configured to store information 
identifying network users and resources including a clean group indicating a group of computers 
and users that are more trusted than computers and users not included in the clean group; 

a plurality of items coupled to the network, with a first portion of the plurality of 
items being coupled through a wireless port of the plurality of ports and a second portion 
of the plurality of items being coupled through an Ethernet port of the plurality of ports, 
each item comprising a clean runtime component, the clean runtime component being 
installed on [[an]] the item and being able to communicate with the clean group servers 
aftd-the clean runtime component being configured to send an add request and a remove 
request to the clean group server, the add request including evidence to be evaluated by 
the clean group server for determining whether to add the item to a clean group; 
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wherein the clean group server is configured to determine whether the evidence sent by 
the clean runtime component is sufficient to prove that the item is in compliance with a security 
policy, and if so, to designate the item as a member of the clean group by instructing the domain 
controller to add the item to the clean group and to remove the item from the clean group in 
response to the remove request . 

16. (Canceled) 

17. (Currently amended) The system of Claim 15, wherein the plurality of items 
comprise computers. 

18. (Currently amended) The system of Claim 1 5, wherein the clean runtime component is 
configured to perform self-governance actions in response to performing a compliance checks te- 
determine if that indicates that the item me e t -s- does not meet selected criteria. 

1 9 . (Original) The system of Claim 1 8, wherein one of the criteria is whether selected 
available updates have been installed. 

20. (Original) The system of Claim 19, wherein the updates comprise at least one of 
security updates or service packs. 

21. (Canceled) 

22. (Previously presented) The system of Claim 18, wherein the clean runtime 
component is configured to send the add request to the clean group server only after the 
self-governance compliance check passes. 

23 . (Previously presented) The system of Claim 15, wherein the clean group server is 
configured to, after designating the item as a member of the clean group, start a countdown; 



1824557.1 



Application No. 10/771,840 6 
Reply to Office Action of December 23, 2008 



Docket No.: M1103.70609US00 



and if another add request is not received by the end of the countdown, the clean group server 
is configured to remove the item from the clean group. 

24. (Canceled) 

25. (Previously presented) The system of Claim 15, wherein the clean group server is 
configured to initiate a compliance check for items to determine if they should remain in the 
clean group. 

26. (Currently Amended) One or more computer-readable media having computer- 
executable components for providing security in a computer system, the computer- 
executable components comprising: 

a clean runtime object for installation on a computer, wherein the clean runtime 
object, when executed, performs a compliance check to determine if the computer has a 
specified set of properties, and sends an add request containing evidence relating to 
whether the computer has the specified set of properties to a clean group server and 
when the clean runtime object subsequently determines that the computer does not have 
the specified set of properties, performs self governance actions that disable the 
computer fro m communication with the clean group; and 

instructions for installation on a clean group server for processing the add 
request, wherein the instructions, when executed, cause the clean group server to 
instruct a domain controller configured to store information identifying network users 
and resources to add the computer as a member of a clean group upon receipt of an 
request, if the clean group server determines that the add request contains sufficient 
evidence to prove that the computer has the specified set of properties. 

27. (Original) The media of Claim 26, wherein the compliance check is performed 
initially upon installation of the runtime object. 
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28. (Previously presented) The media of Claim 26, wherein the evidence indicates 
whether specified available updates have been installed on the computer. 

29. (Previously presented) The media of Claim 28, wherein the specified available updates 
comprise at least one of security updates or service packs. 

30. (Previously presented) The media of Claim 26, wherein after the add request is received 
by the clean group server, a countdown is started and if another message is not received by the 
end of the countdown, the clean group server instructs the domain controller to remove the 
computer from the clean group. 

31. (Currently Amended) The media of Claim 26, wherein the clean runtim e obj e ct 
k ^ ta -te s - a-complianc e check on the comput e r self governance action comprises at 
least one of erasing domain credentials, hiding domain credentials, hiding EFS keys 
or disabling EFS keys. 

32. (Previously presented) The media of Claim 26, wherein the clean group server 
communicates with the runtime object to initiate a compliance check. 

3 3 . (Currently Amended) A method of operating a computer for providing security in a 
computer system, comprising: 

in a processor associated with the computer: 

specifying a sot of properti e s for use in d e termining- if a- comput e r is clean; 

evaluating a computer to determine if it has [[the]] ajspecified set of 
properties specifying whether the computer is clean: 

sending an add request to a clean group server when it is determined that 
the computer has the specified set of properties : and 

when the computer is a member of a clean group and it is determined that 
the computer does not have the specified set of properties, performing self 
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governance action, the self governance action comprising at least one of erasing 
domain credentials, hiding domain credentials, hiding EFS keys or disabling 
EFS keys 

bas e d on wheth e r or not the clean group sorvor determin e s that th e comput e r is in 
compliance, the clean group s e rv e r di s abling or enabling the comput & pdomain account 
on a domain controller , tri e -domain controller configur e d to stor e information identifying 
network usero-andre s ources . 

34. (Currently Amended) The method of Claim 33, whereini 

based on whether or not the clean group server determines that the computer is in 
compliance, the clean group server disables or enables a computer domain account on a domain 
controller, the domain controller configured to store information identifying network users and 
resources: and 

when a new computer domain account is to be added to the domain, the new 
domain account is placed in a disabled state until the associated computer is proved to 
the clean group server to be in compliance. 

35. (Currently Amended) The method of Claim [[33]] 34, wherein when a new computer 
domain account is to be added to the domain, the domain join operation that creates the new 
computer domain account is predicated on proving that the computer is in compliance by 
requiring the clean group server to participate in the domain join operations. 

36. (Currently Amended) The method of Claim [[33]] 34, wherein evaluating a computer 
comprises determining whether available updates have been installed on the computer. 

37. (Currently Amended) The method of Claim [[33]] 34, wherein the computer 
periodically performs compliance checks. 
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38. (Currently Amended) The method of Claim [[33]] 34, wherein the clean group server 
periodically initiates a compliance check on the computer. 

39. (Currently amended) A method for providing security in a computer system, 
comprising: 

with a processor associated with each of a plurality of items, p erforming 
at least in part, a compliance- e k e - ek -s check for the item items-: 

placing it e ms which pass th e complianc e ch e ck into a clean group by 
communicating a result of the compliance check to [[withll a domain controller, 
within the domain controller, for each of the plurality of items: the domain controller 
configur e d - to-store-information id e ntifying network us e rs and r e sources; and 

r e moving items-from altering data storage to indicate that the item 
is not in t he clean group which fail when t he compliance check for the 
item fails; 

storing an indication that the item is in the clean group when the 
compliance check for the item passes : 

wh e r -e in-it e ms within the cl e an group can acce s s selectively providing access to a 
collection of IP Sec communication requirements and parameters based on membership ir 
the clean group maintained by the domain controller; that allow them to communicat e 
with other it e ms within-the - cl e an group; and 

blocking access to the collection of IPSec communication requirements 
and parameters by items not within the clean group ; and can - no ^ aec e ss the 
coll e ction of IPSec communication r e quirem e nts and parameters 

limiting communicating among items in the clean group to communication using 
the IPsec communication requirements , and are t hereby quarantin e d quarantining 
items outside the clean group from receiving information from or sending 
information to items within the clean group. 
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40. (Original) The method of Claim 39, wherein after an item passes a compliance check and 
is placed in the clean group, a countdown is started and if another compliance check is not passed 
by the end of the countdown, the item is removed from the clean group. 

41. (Original) The method of Claim 39, wherein the item is a computer. 

42. (Original) The method of Claim 39, wherein the item performs a compliance 
check. 

43. (Original) The method of Claim 39, wherein a clean group server initiates a 
compliance check on the item. 

44. (Original) The method of Claim 39, wherein the compliance check is performed 
by the item communicating with an update Web site to determine if updates are available 
for the item. 

45. (Original) The method of Claim 44, wherein the item communicates with a clean 
group server to establish its membership in the clean group. 

46. (Canceled) 

47. (Previously presented) The method of Claim 39, wherein a compliance check is 
initiated by one or more of a client coming online, changes in client status/configuration, 
changes in network status/configuration, or changes to a compliance policy. 

48. (Original) The method of Claim 39, wherein a clean group server communicates 
to non-compliant items how to get back into compliance. 
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49. (Original) The method of Claim 48, wherein the non-compliant items are directed to a 
Web site with online instructions to the user, and once the instructions are followed, another 
server-assisted compliance check is initiated. 

50. (Original) The method of Claim 48, wherein the non-compliant items are instructed 
how to get into the compliant state automatically without requiring a user's involvement. 

51. (Previously presented) The method of Claim 39, wherein an item is a user, and a 
user's clean group membership is evaluated on the basis of whether each of a set of 
computers associated with the user is in compliance. 

52. (Canceled) 

53. (Previously presented) The method of Claim 39, wherein items within the clean 
group are given access to the collection of IPSec settings by binding active directory group 
policy to the clean group membership such that only members of the clean group can read 
the policy. 

54-55. (Canceled) 

56. (Previously presented) The method of Claim 39, wherein a client that changes state 
from membership in the clean group to non-membership is required to clear all policy 
settings distributed via the clean group. 

57-59. (Canceled) 

60. (Previously presented) The method of Claim 1, further comprising designating the 
item as a member of a dirty group if the clean group server determines that the item does 
not have the specified set of properties. 
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61. (Previously presented) The system of Claim 15, wherein the clean group server is 
further configured to designate the item as a member of a dirty group if the evidence sent by the 
clean runtime component is insufficient to prove that the item is in compliance with the security 
polio. 

62. (Previously presented) The method of Claim 8, wherein the clean group 
membership of the item comprises local actions including at least erasing the domain credentials 
of the item. 

63. (Previously presented) The method of Claim 7, wherein if the compliance check fails, 
additional steps are taken including at least logging out a privileged user. 
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